MS16-091: Security update for the .NET Framework: July 12, 2016

Summary
This update resolves a vulnerability in the Microsoft .NET Framework. The vulnerability could let sensitive information be disclosed if an attacker uploads a specially crafted XML file to a web-based application. To learn more about the vulnerability, see Microsoft Security Bulletin MS16-091.
More information
Important
  • All future security and nonsecurity updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update 2919355 to be installed. We recommend that you install update 2919355 on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates.
  • If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.
Additional information about this security update
The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.

Microsoft .NET Framework 4.6 and 4.6.1

  • 3164024 MS16-091: Description of the security update for the .NET Framework 4.6 and 4.6.1 in Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2: July 12, 2016
  • 3164023 MS16-091: Description of the security update for the .NET Framework 4.6 and 4.6.1 in Windows Server 2012: July 12, 2016
  • 3164025 MS16-091: Description of the security update for the .NET Framework 4.6 in Windows Vista SP2 and Windows Server 2008 SP2 and the .NET Framework 4.6 and 4.6.1 in Windows 7 SP1 and Windows Server 2008 R2 SP1: July 12, 2016

Microsoft .NET Framework 4.5.2

  • 3163291 MS16-091: Description of the security update for the .NET Framework 4.5.2 in Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2: July 12, 2016
  • 3163250 MS16-091: Description of the security update for the .NET Framework 4.5.2 in Windows Server 2012: July 12, 2016
  • 3163251 MS16-091: Description of the security update for the .NET Framework 4.5.2 in Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7 Service Pack 1, and Windows Server 2008 R2 Service Pack 1: July 12, 2016

Microsoft .NET Framework 3.5 and 3.5.1

  • 3163247 MS16-091: Description of the security update for the .NET Framework 3.5 in Windows 8.1 and Windows Server 2012 R2: July 12, 2016
  • 3163246 MS16-091: Description of the security update for the .NET Framework 3.5 in Windows Server 2012: July 12, 2016
  • 3163245 MS16-091: Description of the security update for the .NET Framework 3.5.1 in Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: July 12, 2016

Microsoft .NET Framework 2.0

  • 3163244 MS16-091: Description of the security update for the .NET Framework 2.0 Service Pack 2 in Windows Vista Service Pack 2 and Windows Server 2008 Service Pack 2: July 12, 2016

Security update deployment information

Windows Vista (all editions)

Reference table

The following table contains the security update information for this software.
Security update file namesFor Microsoft .NET Framework 2.0 Service Pack 2 on all supported 32-bit editions of Windows Vista:
Windows6.0-KB3163244-x86.msu
For Microsoft .NET Framework 4.5.2 when installed on all supported 32-bit editions of Windows Vista:
NDP45-KB3163251-x86.exe
For Microsoft .NET Framework 4.6 when installed on all supported 32-bit editions of Windows Vista:
NDP46-KB3164025-x86.exe
For Microsoft .NET Framework 2.0 Service Pack 2 on all supported x64-based editions of Windows Vista:
Windows6.0-KB3163244-x64.msu
For Microsoft .NET Framework 4.5.2 when installed on all supported x64-based editions of Windows Vista:
NDP45-KB3163251-x64.exe
For Microsoft .NET Framework 4.6 when installed on all supported x64-based editions of Windows Vista:
NDP46-KB3164025-x64.exe
Installation switchesFor Microsoft .NET Framework, see Microsoft Knowledge Base Article 2844699
Update log fileFor Microsoft .NET Framework 2.0 Service Pack 2:
Not applicable
For Microsoft .NET Framework 4.5.2:
KB3142033_*_*-Microsoft .NET Framework [.NET target version]-MSP0.txt
KB3163251_*_*.html
For Microsoft .NET Framework 4.6:
KB3164025_*_*-Microsoft .NET Framework 4.6/4.6.1-MSP0.txt
KB3164025_*_*.html
Restart requirementThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
Removal informationClick Control Panel, click Security, click View installed updates under Windows Update, and then select from the list of updates.
File informationSee the individual Knowledge Base articles that are listed in the “Additional information about this security update” section.
Registry key verificationFor Microsoft .NET Framework 2.0 Service Pack 2 (3163244):
A registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update.
For Microsoft .NET Framework 4.5.2:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework [.NET target version]\KB3163251
”ThisVersionInstalled” = “Y”
For Microsoft .NET Framework 4.6:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4.6\ KB3164025
"ThisVersionInstalled" = "Y"

Windows Server 2008 (all editions)

Reference table

The following table contains the security update information for this software.
Security update file namesFor Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2:
Windows6.0-KB3163244-x86.msu
For Microsoft .NET Framework 4.5.2 when installed on all supported 32-bit editions of Windows Server 2008 Service Pack 2:
NDP45-KB3163251-x86.exe
For Microsoft .NET Framework 4.6 when installed on all supported 32-bit editions of Windows Server 2008 Service Pack 2:
NDP46-KB3164025-x86.exe
For Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2:
Windows6.0-KB3163244-x64.msu
For Microsoft .NET Framework 4.5.2 on all supported x64-based editions of Windows Server 2008 Service Pack 2:
NDP45-KB3163251-x64.exe
For Microsoft .NET Framework 4.6 on all supported x64-based editions of Windows Server 2008 Service Pack 2:
NDP46-KB3164025-x64.exe
For Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for Itanium-based Systems Service Pack 2:
Windows6.0-KB3163244-ia64.msu
Installation switchesSee Microsoft Knowledge Base Article 2844699
Update log fileFor Microsoft .NET Framework 2.0 Service Pack 2:
Not applicable
For Microsoft .NET Framework 4.5.2:
KB3142033_*_*-Microsoft .NET Framework [.NET target version]-MSP0.txt
KB3163251_*_*.html
For Microsoft .NET Framework 4.6:
KB3164025_*_*-Microsoft .NET Framework 4.6/4.6.1-MSP0.txt
KB3164025_*_*.html
Restart requirementThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
Removal informationClick Control Panel, click Security, click View installed updates under Windows Update, and then select from the list of updates.
File informationSee the individual Knowledge Base articles that are listed in the “Additional information about this security update” section.
Registry key verificationFor Microsoft .NET Framework 2.0 Service Pack 2 (3163244):
A registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update.
For Microsoft .NET Framework 4.5.2:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework [.NET target version]\KB3163251
”ThisVersionInstalled” = “Y”
For Microsoft .NET Framework 4.6:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4.6\KB3164025
"ThisVersionInstalled" = "Y"

Windows 7 (all editions)

Reference table

The following table contains the security update information for this software.
Security update file nameFor Microsoft .NET Framework 3.5.1 on all supported 32-bit editions of Windows 7 Service Pack 1:
Windows6.1-KB3163245-x86.msu
For Microsoft .NET Framework 4.5.2 when installed on all supported 32-bit editions of Windows 7 Service Pack 1:
NDP45-KB3163251-x86.exe
For Microsoft .NET Framework 4.6/4.6.1 when installed on all supported 32-bit editions of Windows 7 Service Pack 1:
NDP46-KB3164025-x86.exe
For Microsoft .NET Framework 3.5.1 on all supported x64-based editions of Windows 7 Service Pack 1:
Windows6.1-KB3163245-x64.msu
For Microsoft .NET Framework 4.5.2 when installed on all supported x64-based editions of Windows 7 Service Pack 1:
NDP45-KB3163251-x64.exe
For Microsoft .NET Framework 4.6/4.6.1 when installed on all supported x64-based editions of Windows 7 Service Pack 1:
NDP46-KB3164025-x64.exe
Installation switchesSee Microsoft Knowledge Base Article 2844699
Update log fileFor Microsoft .NET Framework 3.5.1:
Not applicable.
For Microsoft .NET Framework 4.5.2:
KB3163251_*_*-Microsoft .NET Framework [.NET target version]-MSP0.txt
KB3163251_*_*.html
For Microsoft .NET Framework 4.6/4.6.1:
KB3164025_*_*-Microsoft .NET Framework 4.6/4.6.1-MSP0.txt
KB3164025_*_*.html
Restart requirementThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
Removal informationClick Control Panel, click Security, click View installed updates under Windows Update, and then select from the list of updates.
File informationSee the individual Knowledge Base articles that are listed in the “Additional information about this security update” section.
Registry key verificationA registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update.
For Microsoft .NET Framework 4.5.2:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework [.NET target version]\KB3163251
”ThisVersionInstalled” = “Y”
For Microsoft .NET Framework 4.6/4.6.1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4.6\KB3164025
"ThisVersionInstalled" = "Y"

Windows Server 2008 R2 (all editions)

Reference table

The following table contains the security update information for this software.
Security update file nameFor Microsoft .NET Framework 3.5.1 on all supported x64-based editions of Windows Server 2008 R2 Service Pack 1:
Windows6.1-KB3163245-x64.msu
For Microsoft .NET Framework 4.5.2 when installed on all supported x64-based editions of Windows Server 2008 R2 Service Pack 1:
NDP45-KB3163251-x64.exe
For Microsoft .NET Framework 4.6/4.6.1 when installed on all supported 32-bit editions of Windows 7 Service Pack 1:
NDP46-KB3164025-x64.exe
For Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for Itanium-based Systems Service Pack 1:
Windows6.1-KB3163245-ia64.msu
Installation switchesSee Microsoft Knowledge Base Article 2844699
Update log fileFor Microsoft .NET Framework 3.5.1:
Not applicable
For Microsoft .NET Framework 4.5.2:
KB3142033_*_*-Microsoft .NET Framework [.NET target version]-MSP0.txt
KB3163251_*_*.html
For Microsoft .NET Framework 4.6/4.6.1:
KB3164025_*_*-Microsoft .NET Framework 4.6/4.6.1-MSP0.txt
KB3164025_*_*.html
Restart requirementThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
Removal informationClick Control Panel, click Security, click View installed updates under Windows Update, and then select from the list of updates.
File informationSee the individual Knowledge Base articles that are listed in the “Additional information about this security update” section.
Registry key verificationFor Microsoft .NET Framework 3.5.1:
A registry key does not exist to validate the presence of this update. Use WMI to detect for the presence of this update.
For Microsoft .NET Framework 4.5.2:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework [.NET target version]\KB3163251
”ThisVersionInstalled” = “Y”
For Microsoft .NET Framework 4.6/4.6.1:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Microsoft .NET Framework 4.6\KB3164025
"ThisVersionInstalled" = "Y"

Windows 8.1 (all editions)

Reference table

The following table contains the security update information for this software.
Security update file nameFor Microsoft .NET Framework 3.5 on Windows 8.1 for 32-bit Systems:
Windows8.1-KB3163247-x86.msu
For Microsoft .NET Framework 4.5.2 on Windows 8.1 for 32-bit Systems:
Windows8.1-KB3163291-x86.msu
For Microsoft .NET Framework 4.6/4.6.1 on Windows 8.1 for 32-bit Systems:
Windows8.1-KB3164024-x86.msu
For Microsoft .NET Framework 3.5 on Windows 8.1 for x64-based Systems:
Windows8.1-KB3163247-x64.msu
For Microsoft .NET Framework 4.5.2 on Windows 8.1 for x64-based Systems:
Windows8.1-KB3163291-x64.msu
For Microsoft .NET Framework 4.6/4.6.1 on Windows 8.1 for x64-based Systems:
Windows8.1-KB3164024-x64.msu
Installation switchesSee Microsoft Knowledge Base Article 2844699
Restart requirementThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
Removal informationClick Control Panel, click Security, click View installed updates under Windows Update, and then select from the list of updates.
File informationSee the individual Knowledge Base articles that are listed in the “Additional information about this security update” section.
Registry key verificationRegistry keys do not exist to validate the presence of these updates. Use WMI to detect for the presence of these updates.

Windows Server 2012 and Windows Server 2012 R2 (all editions)

Reference table

The following table contains the security update information for this software.
Security update file nameFor Microsoft .NET Framework 3.5 on Windows Server 2012:
Windows8-RT-KB3163246-x64.msu
For Microsoft .NET Framework 4.5.2 on Windows Server 2012:
Windows8-RT-KB3163250-x64.msu
For Microsoft .NET Framework 4.6/4.6.1 on Windows Server 2012:
Windows8-RT-KB3164023-x64.msu
For Microsoft .NET Framework 3.5 on Windows Server 2012 R2:
Windows8.1-KB3163247-x64.msu
For Microsoft .NET Framework 4.5.2 on Windows Server 2012 R2:
Windows8.1-KB3163291-x64.msu
For Microsoft .NET Framework 4.6/4.6.1 on Windows Server 2012 R2:
Windows8.1-KB3164024-x64.msu
Installation switchesSee Microsoft Knowledge Base Article 2844699
Restart requirementThis update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
Removal informationClick Control Panel, click Security, click View installed updates under Windows Update, and then select from the list of updates.
File informationSee the individual Knowledge Base articles that are listed in the “Additional information about this security update” section.
Registry key verificationRegistry keys do not exist to validate the presence of these updates. Use WMI to detect for the presence of these updates.

Windows RT 8.1 (all editions)

Reference table

The following table contains the security update information for this software.
DeploymentThe 3163291 update is available via Windows Update only.
The 3164024 update is available via Windows Update only.
Restart RequirementA system restart is required after applying this security update.
Removal informationClick Control Panel, click Security, click View installed updates under Windows Update, and then select from the list of updates.
File InformationSee the individual Knowledge Base articles that are listed in the “Additional information about this security update” section.

Windows 10 (all editions)

Reference table

The following table contains the security update information for this software.
Security update file nameFor all supported 32-bit editions of Windows 10:
Windows10.0-KB3163912-x86.msu
For all supported x64-based editions of Windows 10:
Windows10.0-KB3163912-x64.msu
For all supported 32-bit editions of Windows 10 Version 1511:
Windows10.0-KB3172985-x86.msu
For all supported x64-based editions of Windows 10 Version 1511:
Windows10.0-KB3172985-x64.msu
Installation switchesFor Microsoft .NET Framework, see Microsoft Knowledge Base Article 2844699
Restart requirementYes, you must restart your system after you apply this security update.
Removal informationClick Control Panel, click Security, click View installed updates under Windows Update, and then select from the list of updates.
File informationSee Microsoft Knowledge Base Article 3163912
See Microsoft Knowledge Base Article 3172985
Registry key verificationRegistry keys do not exist to validate the presence of these updates.

How to obtain help and support for this security update

Help for installing updates: Support for Microsoft Update

Security solutions for IT professionals: TechNet Security Troubleshooting and Support

Help for protecting your Windows-based computer from viruses and malware: Virus Solution and Security Center

Local support according to your country: International Support

Applies to

This article applies to the following:
  • Microsoft .NET Framework 4.6 and 4.6.1 when used with:
    • Windows Server 2012 R2
    • Windows 8.1
    • Windows Server 2012
    • Windows Server 2008 R2 Service Pack 1
    • Windows 7 Service Pack 1
  • Microsoft .NET Framework 4.6 when used with:
    • Windows Server 2008 Service Pack 2
    • Windows Vista Service Pack 2
  • Microsoft .NET Framework 4.5.2 when used with:
    • Windows Server 2012 R2
    • Windows 8.1
    • Windows RT 8.1
    • Windows Server 2012
    • Windows Server 2008 R2 Service Pack 1
    • Windows 7 Service Pack 1
    • Windows Server 2008 Service Pack 2
    • Windows Vista Service Pack 2
  • Microsoft .NET Framework 3.5.1 when used with:
    • Windows Server 2008 R2 Service Pack 1
    • Windows 7 Service Pack 1
  • Microsoft .NET Framework 3.5 when used with:
    • Windows Server 2012 R2
    • Windows 8.1
    • Windows Server 2012
  • Microsoft .NET Framework 2.0 Service Pack 2 when used with:
    • Windows Server 2008 Service Pack 2
    • Windows Vista Service Pack 2
Properties

Article ID: 3170048 - Last Review: 07/12/2016 17:22:00 - Revision: 1.0

Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.6.1, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 3.5, Microsoft .NET Framework 2.0 Service Pack 2

  • kbsecvulnerability kbsecurity kbsecbulletin kbfix kbexpertiseinter kbbug atdownload KB3170048
Feedback